Re: another pest

From: Malke (malke_at_nospoonnotreally.com)
Date: 12/23/04

Next message: Mark Randall: "Re: Redirected HOSTS question"

Previous message: Max M.Wachtel III: "Re: another pest"
In reply to: Li'l Roberto: "another pest"
Next in thread: Li'l Roberto: "Re: another pest"
Reply: Li'l Roberto: "Re: another pest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Dec 2004 07:03:21 -0800

Li'l Roberto wrote:

> XP Home system is infected with something [probably a trojan] but
> I am
> unable to find the files that run at startup.
> Here are the details:
> msconfig shows two entries: in the startup group
> 1. nrkmavt.exe
> 2. gkbdu.exe
> these two entries are also present in
> HKCU - run key
> HKLM - run key
> both point to the C:\windows\system32\ folder, however neither
> file is
> visible in that folder or anywere else on the system ??? even with
> show
> all files hidden\system and protected is enabled.
> Running a search with wild cards pulls up negative, delete them
> and
> they are back next reboot so my guess is there is another file
> monitering their present and recreating them , but what ?.
> Scans with the usual tools comes up negative.
> Any help greatly appreciated.
>
> rgds
> Li'l Roberto

Try HijackThis and try SilentRunners. Look at the SilentRunners page
about removing CoolWebSearch variants. Although this may not be a CWS
malware, the technique used may be applied for your situation. Here are
links to help:

Hijack This - where to post logs, etc.:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.lavasoftsupport.com/index.php?showforum=44
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

http://www.silentrunners.org/sr_cwsremoval.html

Malke

-- 
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

Next message: Mark Randall: "Re: Redirected HOSTS question"

Previous message: Max M.Wachtel III: "Re: another pest"
In reply to: Li'l Roberto: "another pest"
Next in thread: Li'l Roberto: "Re: another pest"
Reply: Li'l Roberto: "Re: another pest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: rundll32.exe
... The responses to similar rundll32 questions on this ... malware and will not normally be running at startup. ... See below for HijackThis links. ...
(microsoft.public.windowsxp.general)
Re: Big problems with IE6
... HijackThis: I could only muster the courage to attempt to fix the O10 ... courage was wasted because HijackThis never really deleted the entries. ... If I try to close out the browser before the page finishes ...
(microsoft.public.windowsxp.general)
Re: My browser is hijacked on startup!
... > I've used HijackThis as well. ... AdAware SE and SpyBot should be run on ... I removed all relevant entries in IE Tools>Options. ... I also removed some suspicious entries from RUN in registry. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: CPU running at 100%
... Run HijackThis, and remove undesired entries and files. ... the network and run HijackThis again. ... give you strong clues as to where the malware launchers are located. ...
(microsoft.public.windowsxp.general)
Re: XP Booting problem
... to return your System to Normal Startup State (again, ... your HijackThis Logs for analysis by Forum Members. ... preparations you need to make before you Post your Log File. ... Also there is a warning msg windows defender fail to ...
(microsoft.public.windows.mediacenter)